Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/21/2010
05:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Choosing The Right Firewall For Your Small Business

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.If you're not sure where to start, there are some key questions you should think about and have ready for discussion with your potential firewall vendor or integrator. Keep in mind, each environment is unique, and a quality integrator might have additional questions for you. Having been on the other end of the stick for many years, I encourage you to actively engage in any discussions a vendor initiates and answer any questions he or she has. The "please just quote me on XYZ" attitude can leave you with a product that might not meet all your needs. Take the time, do it the right way, and I can almost guarantee you'll be pleased with the results.

Bandwidth sizing One of the first considerations for a firewall or any device that sits at the WAN is the throughput. You'll need to know your current WAN bandwidth from your provider as well as any burstable limits. For example, you may have a 10mbps link with the capability to burst to 25mbps. Couple that information with any data you have on current usage and then identify potential bandwidth growths in the coming years. You should plan enough room for growth for however long you plan to have that box in place. Look at the stateful throughput and maximum connection numbers on firewalls you're considering. These numbers will help filter out a bulk of products and models from your potential list and narrow your field to two - three models per vendor.

Layered security The next key question will be whether you plan to add additional gateway security services to your firewall or unified threat management (UTM). Personally, I suggest doing so whenever possible. Most UTMs license security features per box instead of per user, so it's a great way to add a layer of security for a nominal fee. Common gateway security services are antivirus, anti-spyware, and IDS/IPS. Here's the important part: If you're adding gateway security to your firewall, it will affect the performance. Don't worry; that's not a bad thing unless you started with too small of a box. Revisit the first question and weed out any boxes that can't handle security services with the bandwidth you need. Remember to consider your future needs and size appropriately. Look at the UTM throughput numbers for products you're considering. At this point you'll have just one -- two models per vendor to consider.

Remote connections Here's where we get into considerations a lot of people overlook. Check out your current firewall configuration very carefully, and make sure you can identify all the functions it's currently performing. Of specific note are remote connections, including site-to-site VPNs and remote access VPNs for employees or partners. It's unlikely your VPN needs will dictate the size of the box, but you may need additional licenses, and in some cases, unique remote access needs require some unique products. If you're currently supporting remote access via IPsec VPN, you'll want to understand the impact firewall and VPN client software changes may have on your users. Sometimes it's more of a headache than you want, but proper planning can help mitigate the level of frustration.

Physical interfaces Although rarely an issue in smaller organizations, it's certainly advisable to be sure any firewalls you're considering support the appropriate physical connections you need. Most common are gigabit copper ports, but you may need a firewall that supports expansion or flex modules for SFP/fiber, T1, or ADSL connections.

Advanced features If your organization has some specific issues or needs to address, be sure and discuss those with your integrator or vendor. In certain product lines, many vendors offer advanced features that may be of interest to you -- such as layer 7 application firewalls to address peer-to-peer traffic and bandwidth-hogging applications. Others offer content filtering as an add-on or as part of a security bundle. Again, these add-ons can be much more cost-effective on a firewall since they're usually licensed per box and not per user; content filtering is a great example of that. You may need advanced archiving or logging options for your compliance needs. Other advanced features that may determine your firewall selection include single sign-on functions, options for redundancy and high availability, and dynamic routing protocols supported. For example, if you plan to use BGP for a private MetroE network, your options will be different than those for OSPF or RIP.

These are just a few of the considerations when selecting a firewall for an SMB. If you're in the market for a new firewall, think it through and dedicate the appropriate amount of time to selecting the right product for you. Replacing firewalls is not a task to take lightly and it's definitely not something you want to do more often than is absolutely necessary.

Jennifer Jabbusch is a CISO and infrastructure security specialist at Carolina Advanced Digital. By day she architects enterprise security solutions and by night, well, she does the same thing. For Dark Reading, she melds her enterprise experience and intimate knowledge of small business operations to deliver relevant security guidance for SMBs everywhere. Jennifer Minella is VP of Engineering and consulting CISO at Carolina Advanced Digital, and an author, speaker and consultant for infrastructure security for government, education and Fortune 100 and 500 corporations. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.